Dispelling two very common myths about clouds
Late last week, I read a Bloomberg Businessweek article titled “Cloud Security Is Looking Overcast” discussing several of the reasons many businesses either will not, or are reluctant to, adopt cloud services; especially public cloud services. While I do not necessarily disagree with the article in general, or even with what the author offers as reasons businesses are concerned – and they are concerned – about the security or reliability of cloud solutions, there are a couple of additional items I believe are worthy of further discussion.
In previous posts I wrote about some of the myths of cloud computing. Reading the Businessweek article led me to consider expanding my list. I would like to be clear, I am not at all stating that the author is wrong about the items discussed in the article, nor am I suggesting that business and IT managers are not concerned about them. The article addresses things I read about and discuss with people on what must be a daily basis. But, I believe that we need to continue the discussion and that by doing so might help to dispel a couple of common myths about cloud computing.
Myth: (Public) Clouds are Not Secure
The article discusses some very valid concerns regarding cloud security including compliance with policies designed to protect a business from hackers and malware, and concerns over the security of data. Both are valid. Without question both must be addressed by cloud providers and cloud consumers. To illustrate the latter, the author provides a great example of a search engine company that is concerned that customers’ sensitive search information will be left behind for future users of cloud services to discover, even after they have deleted it. (They guarantee their customers’ data will not be kept anywhere.) This is a legitimate, well-known issue that has existed for decades.
To address this, some cloud providers guarantee that their customers’ data is deleted and over-written before storage resources are given over to different customers. Others do not. It is important to know which policy your cloud provider follows, because file deletion can leave sensitive (or other) data on the disk. Recovering it might be analogous to the old detectives’ trick of rubbing a pencil lightly across a notebook to learn what had been written on a recently removed page. This can sometimes be helpful, as it was when I was able to recover photos from a memory device that someone had accidentally wiped clean. In other cases, such as the one covered in the article, it can be potentially devastating to a business.
Beyond acknowledging this concern, let’s take the discussion a step further.
While it is true that not all clouds are as secure as specific businesses may need them to be, I believe it would be untrue to state that all clouds are insecure. In my experience, that is a common – albeit frustrating – conclusion. It is also not the case that every cloud is secure enough for every business application; though there are plenty of very good cloud providers who can supply adequately secure environments to meet the needs of most businesses.
There are also cases where cloud providers can provide a much higher level of security than specific businesses are able to on their own, especially smaller ones. Good providers will be laser-focused on security and they will have the additional advantage of being able to employ the highest level of security expertise – expertise that many businesses would never be able to afford. The providers’ volume and business models will enable them to provide this expertise to their customers at a lower “cost per customer”, and this is one of the key advantages of clouds.
Myth: (Public) Cloud Services are Not Resilient
News of recent disruptions at some of the more well-known cloud providers has lead to concerns regarding cloud resilience. These concerns are, of course, legitimate as well. In the interest of brevity, the points here are very similar to those related to security. Without question, components will fail. As I discussed in a previous article, a key question is “will anyone notice?” Resilience can be addressed in many ways (in the cloud service, in the business application…), and that is a topic too large to address fully in this article. Though in many cases cloud providers, again due to their size, volume, and business model, will be able to offer much stronger resilience, or at least a better platform for resilience, than could some businesses on their own. Aaron Ricadela, the Businessweek story author, offers a great example of this: Gmail’s record of 99.99% uptime (less than 5 minutes down per month) in 2010.
Again, that is not to say that resilience issues will never surface. As Marc Benioff discussed in his book, “Behind the Cloud“, even cloud pioneer Salesforce.com had performance issues as they grew. (In the book Benioff shares the interesting story of how they responded, first incorrectly; and how a much more transparent, customer-centric response, one that led to the creation of trust.salesforce.com, delivered a better solution.)
While it is also true that some clouds may not offer the resilience that a specific business may require or desire, to state that no cloud is sufficiently resilient for business would be inaccurate.
As well, failures can and do occur in cloud and non-cloud environments, both on-premise and with a third-party. And organizations are changing the way business continuity is addressed in their applications. Application architects are now designing “cloud-savvy” resilience into their solutions that can respond to cloud platform failures (e.g.: Netflix “Rambo Architecture” and its use of “Chaos Monkeys”) to ensure resilience and business continuity even when components fail.
So, it is possible to offer resilience in cloud platforms, in applications that leverage them, or both. Though it’s not “free”. It’s not free in non-cloud environments either. Any resilient solution requires good planning and design; and resilient solutions will cost more. We should also keep in mind that not every application requires the same level of resilience, or security for that matter.
“Never Say Never Again”
Unlike some self-evident truths, not all clouds are created equal. Some are (or can be) very secure. Some are less secure, or not sufficiently secure to meet the requirements of certain applications. Some are not resilient, some are very resilient; and business can construct resilient applications that can leverage cloud platforms. Of course, the same can be said of private, on-premise services (cloud or not). Just ask the team at Sony, or any of the other businesses recently attacked that have made recent headlines.
I am not suggesting always choose cloud for the sake of cloud… but at the same time, we should “never say never” to cloud. (Apologies to Ian Fleming for borrowing a movie title; a quick search shows I am certainly not the first.) We must keep an open mind to solutions that might offer value to our businesses and the consumers they serve regardless of whether or not we consider them to be cloud-based solutions.
We also need to consider key details such as application and platform security, built-in and “built-on” resilience, service level agreements, contractual commitments, and vendor reputation and track record.
Finally, we must remember that not all services and applications require the same level of service, resilience, and security. And once a provider is chosen it is prudent to “trust and verify“. We cannot abdicate the duty of care for our customers solely to our providers and suppliers.
In general, I agree with Ricadela’s article. It compelled me to further discuss some of these cloud “myths”, and I am certain I am only scratching the surface.
What are some of the cloud related myths (either for or against cloud computing) that you have encountered? I would be grateful for your comments, and for your suggestions regarding others you would like me to comment on.
“Stormy sky” public domain image courtesy of Laurie Williams. “42″ image is the author’s own.